Make the admission webhook run #3
Conversation
| Scheme: Scheme, | ||
| ParameterCodec: metav1.ParameterCodec, | ||
| NegotiatedSerializer: Codecs, | ||
| SubresourceGroupVersionKind: map[string]schema.GroupVersionKind{ |
There was a problem hiding this comment.
@smarterclayton this tricks the REST handler code into decoding the object we want, but it is a side-effect, not intent. I think we should officially allow the intent.
| StdOut: out, | ||
| StdErr: errOut, | ||
| } | ||
| o.RecommendedOptions.Etcd = nil |
| } | ||
|
|
||
| admittingObjectName := &NamedThing{} | ||
| err := json.Unmarshal(admissionReview.Spec.Object.Raw, admittingObjectName) |
There was a problem hiding this comment.
Can't use a normal metadata path because the admission webhook is broken.
| return nil, errors.NewBadRequest(err.Error()) | ||
| } | ||
|
|
||
| if len(admittingObjectName.Name) == 0 { |
There was a problem hiding this comment.
fail closed on empty name. might be generated later, but this fails anyway.
| return admissionReview, nil | ||
| } | ||
|
|
||
| if admittingObjectName.Name == "fail-me" { |
There was a problem hiding this comment.
proof that it works. To be updated later
|
@dgoodwin let's get this closed off so I can tidy and plumb a client config in a smaller pull. We'll finally be to the meat. |
dgoodwin
left a comment
dgoodwin
left a comment
There was a problem hiding this comment.
Assuming todo's and tests to be addressed later this looks ok to me so far.
Automatic merge from submit-queue (batch tested with PRs 16861, 16438). make webhook admission kind of work This is done to support openshift/kubernetes-namespace-reservation#3 . It contains multiple fixes needed to make webhooks run at all. In addition, it changes validation rules and admission handling until we get changes like kubernetes/kubernetes#53826 into the API. This affects handling and compatibility of an alpha feature. @dgoodwin @abhgupta be ready for upgrade pain in this area. @bparees I turned this on in cluster-up. Surgery was relatively minor
2 participants
This bumps the vendored level of kube for some changes we need, then updates the templates to wire the admission hook (note that this requires patches apiserver-side), and sets up the apiserver to accept our input.